= Introduction =

The build instructions for tap-windows6 [https://github.com/OpenVPN/tap-windows6/blob/master/README.rst are available] in it's Git repo. This page contains additional information that is more generic and not really suitable for inclusion in the main documentation.

= Codesigning =

Getting the [https://msdn.microsoft.com/en-us/library/windows/hardware/ff686697%28v=vs.85%29.aspx Authenticode signatures] right so that all Windows versions detect them can be quite tricky. This seems to be particularly true for kernel-mode driver packages. This section contains miscellaneous notes about signing driver packages.

== Installing certificates ==

Installing a PFX file to the Currentuser certificate store using Powershell:
{{{
Import-PfxCertificate –FilePath <path-to-pfx> cert:\CurrentUser\My -Password (ConvertTo-SecureString -String "mypassword" -Force –AsPlainText)
}}}
If you're not accustomed to Powershell you can just use ''mmc.exe'' and the certificate snap-ins to install the certificate.

== Querying the certificate store ==

To list all certificates in ''Currentuser\My'' store using Powershell:
{{{
Get-ChildItem cert:\CurrentUser\My
}}}
Or alternatively:
{{{
Set-Location cert:\CurrentUser\My
dir
}}}
The ''dir'' command is just an alias for ''Get-!ChildItem''

== Creating catalog files with inf2cat ==

To create a catalog file for a 32-bit driver:
{{{
Inf2Cat.exe /driver:<full-path-to-driver-directory> /os:Vista_x86,Server2008_X86,7_X86
}}}
To create a catalog file for a 64-bit driver:
{{{
Inf2Cat.exe /driver:<full-path-to-driver-directory> /os:Vista_X64,Server2008_X64,Server2008R2_X64,7_X64 
}}}
Example:
{{{
Inf2Cat.exe /driver:C:\Users\John\tap6\amd64 /os:Vista_X64,Server2008_X64,Server2008R2_X64,7_X64 
}}}

'''NOTE:''' According to Microsoft Inf2Cat requires a full path to the driver directory.

== Adding signatures using signtool.exe ==

Adding a signature using a (non-EV) certificate stored in a pfx file. This bypasses the Windows certificate store entirely, thus simplifying things a bit:

{{{
signtool.exe sign /v /ac <cross-certificate> /t <timestamp-url> /f <pfx-file> /p <pfx-password> <drivername>.cat 
}}}
Example:
{{{
signtool sign /v /ac digicert-cross-cert.crt /t http://timestamp.digicert.com /f kernel-mode.pfx /p <password> tap6/amd64/tap0901.cat
}}}

== Validating signatures ==

Verifying the Authenticode signature of a file using Powershell:

{{{
Get-AuthenticodeSignature <path-to-file>
}}}
Note that even if the above command says that the file's certificate is valid, there is absolutely no guarantee that various Windows versions will accept it. It is unclear whether the Cmdlet checks the entire certificate path or not: it does hang for long periods of time occasionally doing ''something''.

Using signtool.exe to verify a driver's signature probably gives more reliable results than the Get-!AuthenticodeSignature Cmdlet:
{{{
signtool verify /v /kp /c <drivername>.cat <drivername>.sys
}}}